×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
peterd
New Member
Member since: ‎01-23-2012
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-23-2012
View All

Re: How to track maximum overlapping transactions?

by in Splunk Search
‎08-22-2014 12:10 PM
‎08-22-2014 12:10 PM
Thanks, but the concurrency command calculates the number of simultaneous event start times. According to the documentation: "Concurrency is the number of events that occurred simultaneously at the start time of the event, not the number of events that occurred during any overlap." .. and i need that "overlap" count. e.g. the maximum number of overlapping transactions by clientid. ... View more

How to track maximum overlapping transactions?

by in Splunk Search
‎08-22-2014 11:18 AM
‎08-22-2014 11:18 AM
I maintain a set of charts that keep track of REST APIs which create and delete resources (documents). In this particular case, tracking the maximum number of "open" documents, where a PUT creates the resource, and DELETE removes the resource. The search i attempted was: uri_path=*docs* (method=PUT OR method=DELETE) | eval s=case(method=="PUT",1,method=="DELETE",-1) | transaction documentid maxspan=24h startswith="method==PUT" endswith="method=DELETE" connected=t unifyends=t keepevicted=true | streamstats sum(s) as c by clientid | eventstats max(c) as mcc by clientid | stats max(mcc) as MaxOpenDocs by clientid however, MaxOpenDocs is always 0 (which is clearly wrong). My initial thought was to use accum, but it lacks a by clause. Any recommendations? Clearly I am missing something. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM